Like many before I have been trying to fix a Pipas.A problem with no success. Kinda learning as I go. Able to clean my system with Spybot, ran Norton AV and Adware, but after each boot it comes back. Down loaded the Fixwareout suggestion (included Log below) and ran it, but Pipas.A came back. Attached the SpybotSD report (I had to cut some of the data to fit on the thread, but can resend if needed). Not sure what else might be needed to help.


--- Search result list ---
Pipas.A: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins


--- Spybot - Search && Destroy version: 1.3 ---
2006-02-24 Includes\Cookies.sbi
2006-02-24 Includes\Dialer.sbi
2006-02-24 Includes\Hijackers.sbi
2006-02-24 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-02-24 Includes\Malware.sbi
2006-02-24 Includes\PUPS.sbi
2006-02-24 Includes\Revision.sbi
2006-02-24 Includes\Security.sbi
2006-02-24 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-02-24 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 320920
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)


--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 59040
MD5: 2a373cda6d5dced20ec56fe7d9e47e5c

Located: HK_LM:Run, cmon14
command: defect08.exe


--
--- Process list ---
Spybot - Search && Destroy process list report, 2/27/2006 10:23:55 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 144 (1704) C:\Program Files\Norton AntiVirus\navapsvc.exe
PID: 164 (1704) C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
PID: 168 (1704) C:\WINDOWS\System32\svchost.exe
PID: 220 (1504) C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
PID: 236 (1704) C:\WINDOWS\System32\svchost.exe
PID: 352 (1704) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 416 (1504) C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
PID: 456 (1504) C:\Program Files\Microsoft Office\Office\OSA.EXE
PID: 460 (1704) C:\Program Files\Dantz\Retrospect\retrorun.exe
PID: 484 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
PID: 520 (1704) C:\WINDOWS\System32\svchost.exe
PID: 672 (1704) C:\WINDOWS\system32\spoolsv.exe
PID: 784 (1704) C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
PID: 844 (1704) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PID: 928 (1704) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 944 (1504) C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
PID: 960 (1704) C:\WINDOWS\System32\svchost.exe
PID: 1036 (1704) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1052 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
PID: 1200 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
PID: 1480 (1704) C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
PID: 1504 (1444) C:\WINDOWS\Explorer.EXE
PID: 1528 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
PID: 1572 ( 4) \SystemRoot\System32\smss.exe
PID: 1636 (1572) \??\C:\WINDOWS\system32\csrss.exe
PID: 1660 (1572) \??\C:\WINDOWS\system32\winlogon.exe
PID: 1704 (1660) C:\WINDOWS\system32\services.exe
PID: 1716 (1660) C:\WINDOWS\system32\lsass.exe
PID: 1832 (1704) C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
PID: 1872 (1704) C:\WINDOWS\system32\svchost.exe
PID: 1928 (1704) C:\WINDOWS\system32\svchost.exe
PID: 2020 (1704) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 2580 (1704) C:\WINDOWS\System32\alg.exe
PID: 2748 (1504) C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
PID: 2768 (1504) C:\WINDOWS\System32\ezSP_Px.exe
PID: 3276 (1704) C:\WINDOWS\System32\svchost.exe
PID: 3332 (1504) C:\Program Files\QuickTime\qttask.exe
PID: 3372 (1504) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3432 (1504) C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
PID: 3456 (1504) C:\WINDOWS\LTSMMSG.exe
PID: 3492 (1504) C:\Program Files\Microsoft IntelliPoint\point32.exe
PID: 3504 (1504) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 3512 (1504) C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PID: 3520 (1504) C:\WINDOWS\system32\WDBtnMgr.exe
PID: 3528 (1504) C:\Program Files\iTunes\iTunesHelper.exe
PID: 3600 (1504) C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE
PID: 3624 (1504) C:\Program Files\Messenger\msmsgs.exe
PID: 3696 (1504) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 3708 (1704) C:\Program Files\iPod\bin\iPodService.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 2/27/2006 10:23:55 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


-
Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}268492614297-1EAB-21A4-CF50-D6123A7E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmfof.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMFOF.EXE
C:\WINDOWS\SYSTEM32\CSFPF.EXE
C:\WINDOWS\SYSTEM32\ENCODEX.EXE
* csr.exe C:\WINDOWS\System32\CSFPF.EXE
* csr.exe C:\WINDOWS\System32\ENCODEX.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

Thanks for any help,

Stress